8 lessons from the eBay cyber attack

The recent cyber attack on eBay saw up to 145 million people’s details taken in what some have called the biggest digital intrusion of all time. In this piece CBR rounds up the best reactions from the attack, as well as eight lessons businesses and consumers can take from what happened.

1. Users should not use the same password across multiple websites

With so many accounts across so many sites, it’s tempting to use the same credentials wherever you go. The trouble is that if one site is breached, a hacker can gain access to any of your profiles. Paul Martini, CEO, iboss Network Security, says: "There may well be further breaches stemming from this attack and it will be difficult to tie losses from other portals back to this specific breach." If you have an eBay account, it is worth changing passwords across your profiles elsewhere.

2. Perimeter defences need to be complemented with internal encryption

As we have highlighted before, IT security is moving its focus away from perimeter defences and will be investing more heavily in internal defences. "We do need to make sure organisations have appropriate firewalls and threat protections in place," says Andrew Bushby, technology director for mobility and information security, Oracle UK. "But you also have to think about security from the inside – how do you protect the data on the inside, because if they do get past those firewalls you don’t want to let them access the soft underbelly of the environment."

3. Only let people access data when it is strictly necessary

Even before the eBay attack, companies were being advised to segregate data and restrict access to sensitive information, but this must be done more thoroughly. "It highlights why security best practitioners call for a layered approach to procedural and technological defences." Mark Kedgley, CTO, New Net Technologies, says, commenting on the eBay breach. "Only provide access to data on a strict needs must basis, and only ever provide users with ‘lowest privilege necessary’ access."

4. Breaches can lead to criminals selling fake caches of data online

After the breach at eBay somebody found millions of records allegedly up for sale on pastebin, a web app for storing text, prompting speculation that the data on offer was from the auction website, which was shortly followed by denials from the firm. Trey Ford, global security strategist, Rapid7, says: "It’s not uncommon for criminals to spot an opportunity to cash in on an attack by offering false credentials for sale. This happened with the LivingSocial breach too." The coupon site LivingSocial was attacked earlier last month, with 50 million accounts compromised.